CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
7.0 | $0-$5k | 0.00 |
A vulnerability classified as critical was found in Red Hat Enterprise Linux Desktop 5.0 (Operating System). Affected by this vulnerability is an unknown code. The manipulation with an unknown input leads to a remote code execution vulnerability. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:
tog-pegasus in OpenGroup Pegasus 2.7.0 on Red Hat Enterprise Linux (RHEL) 5, Fedora 9, and Fedora 10 does not log failed authentication attempts to the OpenPegasus CIM server, which makes it easier for remote attackers to avoid detection of password guessing attacks.
The bug was discovered 11/25/2008. The weakness was disclosed 11/25/2008 as Bug 472017 as not defined bug report (Bugzilla). The advisory is shared at bugzilla.redhat.com. This vulnerability is known as CVE-2008-4315 since 09/29/2008. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Neither technical details nor an exploit are publicly available.
The vulnerability was handled as a non-public zero-day exploit for at least 1 days. During that time the estimated underground price was around $25k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 43717 (CentOS 5 : tog-pegasus (CESA-2008:1001)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family CentOS Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 117226 (CentOS Security Update for tog (CESA-2008:1001)).
Upgrading eliminates this vulnerability. A possible mitigation has been published 7 hours after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (46830) and Tenable (43717). The entry 45216 is pretty similar.
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 7.0
VulDB Base Score: 7.3
VulDB Temp Score: 7.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Remote Code ExecutionCWE: Unknown
ATT&CK: Unknown
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Nessus ID: 43717
Nessus Name: CentOS 5 : tog-pegasus (CESA-2008:1001)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 870015
OpenVAS Name: Rhino Software Serv-U SITE SET Command Denial Of Service vulnerability
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Timeline
09/29/2008 🔍11/25/2008 🔍
11/25/2008 🔍
11/25/2008 🔍
11/25/2008 🔍
11/25/2008 🔍
11/26/2008 🔍
11/26/2008 🔍
11/26/2008 🔍
12/01/2008 🔍
01/06/2010 🔍
03/17/2015 🔍
08/21/2019 🔍
Sources
Vendor: redhat.comAdvisory: Bug 472017
Status: Not defined
Confirmation: 🔍
CVE: CVE-2008-4315 (🔍)
OVAL: 🔍
X-Force: 46830
SecurityTracker: 1021281
Vulnerability Center: 20081 - OpenGroup Pegasus CIM Server 2.7.0 on RHEL 5, 9, 10 Vulnerability Allows Password Guessing Attacks, Medium
Secunia: 32862 - Red Hat update for tog-pegasus, Less Critical
OSVDB: 50278 - OpenPegasus CIM server (tog-pegasus) on Red Hat Linux Failed Authentication Logging Weakness
See also: 🔍
Entry
Created: 03/17/2015 16:11Updated: 08/21/2019 10:15
Changes: 03/17/2015 16:11 (80), 08/21/2019 10:15 (3)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.